From 988bafe813d728207cfe3522ca371f593d07b0d0 Mon Sep 17 00:00:00 2001
From: Yuras Shumovich <shumovichy@gmail.com>
Date: Wed, 3 Jun 2026 23:01:35 +0200
Subject: [PATCH 1/2] Don't let crypton-connection resolve hostname

Instead use the existing resolver.
---
 http-client-tls/Network/HTTP/Client/TLS.hs | 48 ++++++++++++----------
 1 file changed, 27 insertions(+), 21 deletions(-)

diff --git a/http-client-tls/Network/HTTP/Client/TLS.hs b/http-client-tls/Network/HTTP/Client/TLS.hs
index 965d3fda..b2dab5ea 100644
--- a/http-client-tls/Network/HTTP/Client/TLS.hs
+++ b/http-client-tls/Network/HTTP/Client/TLS.hs
@@ -124,15 +124,18 @@ getTlsConnection :: Maybe NC.ConnectionContext
                  -> IO (Maybe HostAddress -> String -> Int -> IO Connection)
 getTlsConnection mcontext tls sock = do
     context <- maybe NC.initConnectionContext return mcontext
-    return $ \_ha host port -> bracketOnError
-        (NC.connectTo context NC.ConnectionParams
-            { NC.connectionHostname = strippedHostName host
-            , NC.connectionPort = fromIntegral port
-            , NC.connectionUseSecure = tls
-            , NC.connectionUseSocks = sock
-            })
-        NC.connectionClose
-        convertConnection
+    return $ \ha host port -> do
+        let params = NC.ConnectionParams
+              { NC.connectionHostname = strippedHostName host
+              , NC.connectionPort = fromIntegral port
+              , NC.connectionUseSecure = tls
+              , NC.connectionUseSocks = sock
+              }
+        withSocket (const $ pure ()) ha host port $ \socket -> do
+            -- This block is exception-safe thanks to withSocket.
+            -- We won't send TLS bye in case of exception, but that's OK
+            conn <- NC.connectFromSocket context socket params
+            convertConnection conn
 
 getTlsProxyConnection
     :: Maybe NC.ConnectionContext
@@ -141,18 +144,21 @@ getTlsProxyConnection
     -> IO (S.ByteString -> (Connection -> IO ()) -> String -> Maybe HostAddress -> String -> Int -> IO Connection)
 getTlsProxyConnection mcontext tls sock = do
     context <- maybe NC.initConnectionContext return mcontext
-    return $ \connstr checkConn serverName _ha host port -> bracketOnError
-        (NC.connectTo context NC.ConnectionParams
-            { NC.connectionHostname = strippedHostName serverName
-            , NC.connectionPort = fromIntegral port
-            , NC.connectionUseSecure = Nothing
-            , NC.connectionUseSocks =
-                case sock of
-                    Just _ -> error "Cannot use SOCKS and TLS proxying together"
-                    Nothing -> Just $ NC.OtherProxy (strippedHostName host) $ fromIntegral port
-            })
-        NC.connectionClose
-        $ \conn -> do
+    return $ \connstr checkConn serverName ha host port -> do
+        let params = NC.ConnectionParams
+              { NC.connectionHostname = strippedHostName serverName
+              , NC.connectionPort = fromIntegral port
+              , NC.connectionUseSecure = Nothing
+              , NC.connectionUseSocks =
+                  case sock of
+                      Just _ -> error "Cannot use SOCKS and TLS proxying together"
+                      Nothing -> Just $ NC.OtherProxy (strippedHostName host)
+                          $ fromIntegral port
+              }
+        withSocket (const $ pure ()) ha host port $ \socket -> do
+            -- This block is exception-safe thanks to withSocket.
+            -- We won't send TLS bye in case of exception, but that's OK
+            conn <- NC.connectFromSocket context socket params
             NC.connectionPut conn connstr
             conn' <- convertConnection conn
 

From 16305e4599c56fe94dc22aa7868b69f68bb04992 Mon Sep 17 00:00:00 2001
From: Yuras Shumovich <shumovichy@gmail.com>
Date: Sun, 7 Jun 2026 15:57:00 +0200
Subject: [PATCH 2/2] drop comments

---
 http-client-tls/Network/HTTP/Client/TLS.hs | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/http-client-tls/Network/HTTP/Client/TLS.hs b/http-client-tls/Network/HTTP/Client/TLS.hs
index b2dab5ea..8668f857 100644
--- a/http-client-tls/Network/HTTP/Client/TLS.hs
+++ b/http-client-tls/Network/HTTP/Client/TLS.hs
@@ -132,8 +132,6 @@ getTlsConnection mcontext tls sock = do
               , NC.connectionUseSocks = sock
               }
         withSocket (const $ pure ()) ha host port $ \socket -> do
-            -- This block is exception-safe thanks to withSocket.
-            -- We won't send TLS bye in case of exception, but that's OK
             conn <- NC.connectFromSocket context socket params
             convertConnection conn
 
@@ -156,8 +154,6 @@ getTlsProxyConnection mcontext tls sock = do
                           $ fromIntegral port
               }
         withSocket (const $ pure ()) ha host port $ \socket -> do
-            -- This block is exception-safe thanks to withSocket.
-            -- We won't send TLS bye in case of exception, but that's OK
             conn <- NC.connectFromSocket context socket params
             NC.connectionPut conn connstr
             conn' <- convertConnection conn